Bug 1755317 - [remote] Only validate origin headers if BiDi is enabled r=webdriver-reviewers,whimboo

When BiDi is disabled, skip the origin header check to support existing CDP clients. Differential Revision: https://phabricator.services.mozilla.com/D138705
2022-02-16 06:25:35 +00:00 · 2022-02-16 06:25:35 +00:00 · 45ba1a81d3
--- a/remote/server/WebSocketHandshake.jsm
+++ b/remote/server/WebSocketHandshake.jsm
@ -109,14 +109,19 @@ function isIPAddress(uri) {
 * Sec-WebSocket-Accept response header.
 */
 function processRequest({ requestLine, headers }) {
-  const origin = headers.get("origin");
+  // Enable origin header checks only if BiDi is enabled to avoid regressions
+  // for existing CDP consumers.
+  // TODO: Remove after Bug 1750689 until we can specify custom hosts & origins.
+  if (RemoteAgent.webDriverBiDi) {
+    const origin = headers.get("origin");

-  // A "null" origin is exceptionally allowed in browser mochitests.
-  const isTestOrigin = origin === "null" && nullOriginAllowed;
-  if (headers.has("origin") && !isTestOrigin) {
-    throw new Error(
-      `The handshake request has incorrect Origin header ${origin}`
-    );
+    // A "null" origin is exceptionally allowed in browser mochitests.
+    const isTestOrigin = origin === "null" && nullOriginAllowed;
+    if (headers.has("origin") && !isTestOrigin) {
+      throw new Error(
+        `The handshake request has incorrect Origin header ${origin}`
+      );
+    }
  }

  const hostHeader = headers.get("host");
--- a/testing/web-platform/mozilla/tests/webdriver/new_session/debugger_address.py
+++ b/testing/web-platform/mozilla/tests/webdriver/new_session/debugger_address.py
@ -2,6 +2,8 @@ import json

 import pytest

+from http.client import HTTPConnection
+
 from tests.support.http_request import HTTPRequest
 from . import using_context

@ -70,3 +72,37 @@ def test_debugger_address_true_fission_override(session):
            session.execute_script("""return Services.appinfo.fissionAutostart""")
            is True
        )
+
+
+@pytest.mark.parametrize("origin", [None, "", "sometext", "http://localhost:1234"])
+@pytest.mark.capabilities(
+    {
+        "moz:debuggerAddress": True,
+        "moz:firefoxOptions": {
+            "prefs": {
+                "remote.active-protocols": 2,
+            }
+        },
+    }
+)
+def test_origin_header_allowed_when_bidi_disabled(session, origin):
+    debugger_address = session.capabilities.get("moz:debuggerAddress")
+    assert debugger_address is not None
+
+    url = f"http://{debugger_address}/json/version"
+
+    conn = HTTPConnection(debugger_address)
+    conn.putrequest("GET", url)
+
+    if origin is not None:
+        conn.putheader("Origin", origin)
+
+    conn.putheader("Connection", "upgrade")
+    conn.putheader("Upgrade", "websocket")
+    conn.putheader("Sec-WebSocket-Key", "dGhlIHNhbXBsZSBub25jZQ==")
+    conn.putheader("Sec-WebSocket-Version", "13")
+    conn.endheaders()
+
+    response = conn.getresponse()
+
+    assert response.status == 200